Search

Subscribe

Physical Key Escrow

The city council in Cedar Falls, Iowa has absolutely crossed the line. They voted 6-1 in favor of expanding the use of lock boxes on commercial property. Property owners would be forced to place the keys to their businesses in boxes outside their doors so that firefighters, in that one-in-a-million chance, would have easy access to get inside.

Comments

Leon - easy; when the police come to investigate a robbery and realize the crooks took the key out of the lockbox to open the store and not set off the alarms, they will know that the store owner did put the correct key in the lockbox.

This has been standard practice e.g. in Germany for a LONG time. Firefighters need to be able to quickly reach a fire, after all. If they first have to fetch a couple of fire axes and to kick in a bunch of doors endangers both the company property and the firefighters' health (and their equipment).

These keys are typically stored in a strongbox that's embedded in an outside wall, and it's usually also connected to the alarm system.

This may superficially be like key escrow, but I don't think one can treat their risks equally in any meaningful way.

I have never heard of a robbery that has been committed by stealing the firefighters' keys. It's much easier to break in through the physical door, than to get a key out of that lock box.

Its very common here in Switzerland even used by banks and it is very simple to connect the key and safe with the alarm system. It is also used by elevator emergency service personal so they get access to the building. See link for an example.

I hope the city is prepared financially to pay out for all the law suites that will likely result, if and when any city employee is caught using the lock boxes inappropiately - or as described above other criminals are able to use them too. I bet the real criminals know how to use bolt cutters and other tools to tear open the lock boxes, even if the fire department doesn't know how to batter their way through a burning doorway!

Matthias, would firefighters never abuse their power? the police here in the UK did with pinging cellphones (see http://www.bbc.co.uk/news/technology-14141809 ). What to stop some one with an intrest "brakeing" in and setting up servalance?

Second, firefighters have no qualms about knocking down doors and whatnot, but the more doors they have to fight through to get to a fire, the longer the fire will burn.

Here in Austin, these are quite common and required by code for new buildings. They're little black hardened steel safes about 6"x6" embedded in the brickwork near the main entrance to a building. The fire department has a master key to the safe, and no one else does (supposedly). To my knowledge, there has never been a break in here using these keys.

* The only thing that's bothersome to me about the Cedar Falls version is that I believe they included apartment buildings in their code. That's a little unusual, and it's not clear if the individual units are required to escrow their keys, or if it only covers the main entrances, etc. I'll have to look around at some of the larger new apartment/condo buildings here and see if those that have interior entrances for their units have one of these boxes.

I've never NOT seen a building without a Knox Box in Champaign-Urbana. Since most physical keys are very weak protection anyway, I would prefer this to paying for a new door if a fire alarm went off. Seems like a smart business decision to me.

These things generally go by the name of Knox Boxes ( http://en.wikipedia.org/wiki/Knox_Box ) and were outed at last year's RSA conference as a major physical security vulnerability. Requirements to have a Knox Box are nothing new and are written into the commercial building codes of many municipalities.

The primary security problem created by Knox Boxes is that of Key Compromise. These boxes use a single master key for either each local fire department or each large fire region (to accommodate shared duty sharing between departments). First, no matter how good the key access control, any key can be duplicated with the right CNC machining tools, which themselves are becoming increasingly affordable. Second, the keys can be spread between multiple fire houses and departmental jurisdictions. A department with a key may be professional or volunteer, large or small with inconsistent policies and/or management. This is a recipe for poor access control.

So let's say that someone is able to either copy the key, misuse access to a key, steal a key or simply bribe someone for a key. Even if this was detected, it is completely infeasible to actually recover from the compromise. To do so would mean re-keying EVERY Knox Box in the service area. Hell, a firefighter could just drop the key in the field while responding to a call. Accidents happen, but this system is completely unable to recover from it.

If all the procedural stuff wasn't a big enough problem, Knox Boxes have technical flaws as well. Yes, even high security locks can be picked, and in most cases the Knox Box would be harder to crack then the door locks on the establishment in question. However a Knox Box that is left unlocked allows one to extract the lock mechanism and then reverse engineer the pin settings, which then allows for Key Compromise without ever needing access to an authentic Knox Box key. One can assume that every Box will be used as intended and kept locked by the building owner, but surprise, surprise not all buildings are sticklers for the system and don't bother storing their key in the box or locking the empty box. Remember, all it takes is one unlocked box for total system compromise.

Once you know about Knox Boxes you see them everywhere. They are a bad idea and a huge security vulnerability. Unfortunately this is the sort of thing that will require a major security incident to fix.

In New York, its very common on commercial buildings as well. And remember, firefighters respond to things other than fires. One tenant (a restaurant) in a local commercial building had a gas leak one night. When we showed up the next morning and opened the neighboring store, the gas smell was overpowering. It was *very convenient* that the fire fighters could get into the restaurant without smashing things in order to air out the building.

- locating the box, finding the master key in your pocket, trying to handle the precision key with your firefighter's protective gloves, removing your gloves, trying to open a rusty long-unused lock, groping for a can of WD40 in your other pocket, oiling the lock, waiting till the treatment starts working, finally opening the key box, removing a large keyring with a bunch of keys, finding that paper labels on the keys have faded because of time/moisture, trying all the keys on the ring, finding that no one fits because the owner had changed the lock a year ago and forgot to put the new key in the box, putting your gloves back on, axe through the glass-plate door?

PeterA:
So every option has a worst-case scenario. . .
How about when the plate-glass door is behind close-fitting steel shutters designed to protect against thieves with axes (or anything else they might use to get through the plate-glass door)?
If its that easy to get in, so could any thief who didn't care about the alarm which would mean that any store owner with expensive stock thats worth the risk would need to add more security.

If the box is wired into the alarm system so that *anyone* who opens it sets off the alarm surely that massively reduces the risk from stolen/cloned keys.

I'd go slightly further than you in my paranoia; who says you have to hunt around for a building where the Knox Box was left unlocked, or go to the bother of smashing one off a wall, to be able to duplicate the master key - surely easier just to rent a commercial building & get your own Knox Box to experiment with, no?

Personally I'd just lock a key in it that didn't open my building. That seems the safest option (less likely to invite hassle than refusing the box in the first place, which would be my preferred option) - anyone know the typical penalties for such, in the extremely unlikely event that they caught you?

Even if it was a rather hefty fine: given the very small likelihood of a fire, the smaller likelihood that someone would discover the key was the wrong one, and the absence of any real evidence to suggest that it, y'know, *helps* at all (round here the fire brigade seem to put most fires out absolutely fine, even if they have to put a window through), versus the considerably more likely possibility that someone will reverse engineer the boxes or acquire a key, any sane cost/benefit analysis HAS to come down on the side of putting the wrong key in the box.

If an average seven year old couldn't list most of the reasons why this was such a dumb idea, I'd be pretty surprised. Although perhaps expecting the collective intelligence of legislators to be above that of said seven year old is a trifle optimistic.

It might be worth noting that this ordinance is an adoption of the 2009 version of the International Fire Code, which includes this provision as a possibility. Cedar Falls is certainly not the first city to do this, it's just one of the first that made a more national spotlight.

Here in Cedar Falls (yes, I work at the University of Northern Iowa in Cedar Falls, IA), the real opposition from the vast majority of landlords was for the cost to the property owners for installing the boxes, not for their own or their tenant's civil liberties.

We have landlords here that don't live anywhere near the properties, sometimes even out-of-state. If a fire alarm goes off, the Fire Dept. has a duty to investigate, and if nobody was around to open a door, they break in. Often it would be a false alarm, and those same landlords would complain about costs incurred for damage to property.

That said, the right solution was to allow landlords to participate in a voluntary program. If they fear property damage due to false alarms, install a lock box. If they fear government or the risks of accessibility of keys, choose not to. Regardless, if there really is a fire visible to the fire fighters, odds are the firefighters are breaking in.

If having a lock box is to the occupant's advantage (the fire gets put out more quickly), then why does it have to be in the fire code? Wouldn't the insurance company mandate it (or give a discount) or the property owner volunteer. If the property owner decides the risk of theft is greater than the possibility of loss due to fire, why should the city care?

@S You can't open the Knox Box just because it's on your building. The location, like the location of the building numbers, is set by building code and the Fire folks know all about it. If you want to change the key in the box, because you re-keyed the building for example, you call the fire department and eventually some guy in a red car drives over to swap the key for you. We sometimes have "random" fire code inspections where they check the gauges on the sprinkler system and check that the key in the box opens the door. (Random actually means about every 5 years or when there is a fire in your industrial park.)

The real issue here is risk. The risk of any given commercial property burning down is small, so why impose this requirement on every business? Whether it works in practice or not is not really the issue, more whether it provides value from an economic and a risk point of view.

Implementation of any security system where you have a single, widely shared access device is going to fail. Why have you not heard of businesses being robbed by someone taking a key from a knox box? Because to admit to this would likely invalidate their insurance. Simples!

"It's much easier to break in through the physical door, than to get a key out of that lock box."

So, why isn't the same true for the firefighters? Either it's easier to get the key out than to bash down the door, or it's not.

Oh, sure, you probably need the right key to access the lockbox. How silly of me to think that determined criminals might manage to get a copy of that.

But then, even if they did, nothing bad would happen, right? I mean, it's not as if they could make copies of it. And even if they did, replacing the locks on all the lockboxes in the county would be easy, quick and totally not costly at all.

And indeed, all of the above is why you have one of these lockboxes on your home, too. After all, it's worth it!

I hope the city is prepared financially to pay out for all the law suites that will likely result, if and when any city employee is caught using the lock boxes inappropiately - or as described above other criminals are able to use them too. I bet the real criminals know how to use bolt cutters and other tools to tear open the lock boxes, even if the fire department doesn't know how to batter their way through a burning doorway!

As was stated above, the easy way to deal with any key control issues is very simple: trust but verify. And by verify I mean connect the knox box to your alarm or access control system to alarm whenever it's opened (or knocked off the wall for that matter). Is that perfect, no. Sure someone could MacGyver the contact point and bypass the alarm, but if you're really worried that someone is going to that length to break in to your building without detection you need to adjust your foil hat ;-)

Yes, indeed. So enforcing the worst case scenario on everybody is utter stupidity.

As for your example with steel shutters: let the damned grocery shop burn a little longer. Insurance will cover the loss for a low premium. Fires happen very rarely - robberies much much much more frequently. Steel shutters in a high-crime area is money well spent. Giving out the keys to open them is a folly.

I do not say there aren't specific cases in which key box may be prudent - like a business premise with very valuable equipment inside, requiring multiple reinforced steel doors, multiple alarm systems and a contract with a security company to send armed guards in case of detected breach. It may be prudent to contact local fire department and arrange for a quick entry for them in case of fire - not necessary by installing a key box, there are numerous other solutions that come to mind.

Voluntary installation of such a device is OK. In such case every property owner may make their own security assesment and take precautions he sees fit. Making it compulsory is idiocy.

A key box always undermines physical security by enabling unauthorized and undetected opening of physical locks without requiring any special tools or skills (lockpicking) besides buying the master key. It *will* be available on black market - anybody thinking the master key will forever remain securely in the hands of firemen is naive at best. The longer the system is in place and the wider it is deployed, the lower the black market price for the master key. Key box absolutely requires other layers of security - CCTV, alarm systems, armed guards, whatever - and they all cost real money. What about a small business owner whose major or the only security measure is door and lock? Will the higher risk of robbery be offset by the lower damage in case of fire? And even if it will in some cases, who's to decide? Definitely *not* the councilidiots.

One more final point. Let's assume for a moment that key boxes are indeed so good and necessary and help good firemen protect our children and elderly and all that bullshit - why are they required on business premises only? Don't private homes catch fire sometimes - or, indeed, more often? Why businesses should be protected while homes of private citizens aren't? Shouldn't the enlightened Members of City Council take care of their poor and uneducated sheeple by installing key boxes on their homes to enable Good Firemen, Policemen and Other Helpful Agents entry when they come to help? Or banning locks in the first place? Oh no, the latter is utterly undesirable. No lock or strongbox company will compensate Wise Councilmen for their hard work.

I am a facility manager of a large building in a suburb of Chicago. Local code requires we have a Knox Box. It is wired to the alarm system so opening it trips a call to our security company.

Axes won't work against the heavy steel doors and concrete that protect our facility. I think the Knox Box is reasonable, but only because the box automatically trips an alarm (police response to an alarm was about 4min, but we were located a mile from the station).

I was envisaging some sort of system where each building owner had a key that would open their Knox Box and nobody else's, while the fire department had the master key.

Still think it's a dumb idea, even if it's slightly less dumb than I originally thought. There are presumably quite a few master keys floating about - one for every fire engine in the area, at a minimum - and the potential selling price for one key that could open *every* commercial building in town has to be high enough to tempt the firefighters to corruption...

There are several processes that can be in play to mitigate the risk of a key compromise occurring.

The first involves the "Knox" brand box, which uses a Medeco Biaxial master key cut on a restricted keyway. Several third-party vendors have come up with ways of controlling access to the key, for example, a computer-audited or radio controlled unit (with backup pin pad) in the fire engines and commander's vehicles. The key is locked into the unit by turning it in a cylinder, 90 degrees or so. To get it out you have to authenticate to the box, which audits the access and releases the cylinder.

This system won't reduce the damage if a key (or the key information!) is actually compromised, but it makes damn sure the keys don't just wander around on personal keychains.

Some jurisdictions have chosen to use SUPRA TRACcess for their fire boxes. The TRACcess system is an electronic key implementing a PIN pad and periodic remote key renewal. It is very similar to one that real estate agents commonly use called DisplayKey, which is also made by Supra. TRACKey is actually used by a major telecommunications company for access to their CEEVs and other equipment boxes.

How the TRACcess system works is each employee - a field technician or firefighter - is issued a battery operated pager-sized dongle. To open a keybox (or door, etc.) you put the dongle in the door, press the green button, four digit pin and the key shaped button. The dongle remembers what boxes it has opened, as does the keybox itself, and in fact I suppose it could pick up audit trails from the keybox for delivery to the mothership. Every set period of time, usually 30 days, the keyholder must dial into a toll free number to send their audit logs in exchange for an update code, typed into the PIN pad, that lets the key keep working. Each key also has to be renewed in December.

The result in the case of fire departments is that a compromised master access key can work for no more than 30 days after it has been reported stolen, and a misused key can be audited to see where it been used. For sending the audit logs, the key dongle itself has a really clever system for doing so; there is a speaker on the back of the key which can play a modem-like data signal into a phone speaker, and I've seen this to work through cellphones too. Administrators can configure an option

Programming the keys is done with a desktop programming station, at which time the administrator sets the non-user-changeable 4 digit PIN. There is actually a web-based interface to the central computer which loads an ActiveX control to talk to the programming station through the DB-9 serial port. Another ActiveX control can also use the computer's microphone to retrieve the audit logs from a key. There is a page to manually get update codes to renew an employee's access. Administrators can view any key's PIN any time.

I have doubts about the system's security. Among my major concerns: TRACCess is centrally managed by a computer called TIM; the DisplayKey equivalent is called KIM. These systems are owned and operated by GE Supra. An RSA Security-type of breach on their systems has the possibility of exposing enough information to allow access to every TRACcess and DisplayKey system in existance. The 7 digit update codes also make me suspicious of how much information differentiates each site, and how much data the key stores. Reverse engineering of the key could reveal that the key only self-enforces its own expiration and has enough keymat to open all boxes in the system forever, or worse, if systems do not have unique encryption keys a given key could be made to work across different systems.

OK, so these keys can be reverse-engineered if somebody leaves the box open. The solution to that is to not leave the box open. Why would anybody do that?

Yes, it's a security risk. But it's a risk of (mostly) theft only, i.e. movable property. A building that burns down (or blows up) is much more expensive, and then there's the risk of people dying in there.

NB: Did you ever try to go through a T90 door (i.e. one which is supposed to withstand an intense fire for 90 minutes) with a fire axe? Good luck. You'll need it.
Today's commercial buildings are *not* typically made of plywood.

But let me tell you, that having a keys available outside the building is and has been requirement in Finland at least 30-40 years now.

AND we do not have huge numbers of abuse cases, never had. Requirement covers all large commercial and residental buildings (block of flats). Not individual homes, single family houses etc. That is up to owner to decide if he/she would like to take part of the system.

Anyway, the lock systems are hardened steel cylinders (pipe locker) which which are drilled in usually stone some clearly visible location near entrance.
Location is selected so that it's hard to not notice that someone is either trying to get keys from pipe locker or already have taken out. The pipe locker comes out and can't be easily separated from the actual keys, so the visible hole in stone wall tells you that somebody is using the keys.

This is what the stuff looks like, in finnish sorry. Use google translation if you need to understand writing also.

Some buildings have two lockers, one for building maintenance and one for firesquad. Police do not have keys as if they require entry they can ask from building maintenance folks to open the doors.

I know the key management practises differ from country to country, but thinking how long it's been used here I believe there are way of managing the risks so that it's not abused. The locker keys are not ordinary keys you can copy nearest locksmith, but I don't know what other preventive measures also have been implemented.

I don't know much about that management, sorry. Just wanted to point out that it works at least one country, also with a modest metropolitan size city of Helsinki. And there are no lack of crooks and burclaries arriving from russia and baltic countries trying to pull of something before vanishing back over the border.

The Knox Box can (and should) be wired to the building's intrusion detection system. If a key is used to open a door monitored by an intrusion detection system an alarm is initiated. If it's the FD opening the door the PD is already on the scene. A burglary that starts with an compromised Knox Box will be easier to investigate than one involving only a key to the property or a forced entry.

If the fire department misuses or mismanages their key and a loss results the insurer of the commercial property can subrogate the claim to the city's liability carrier.

If the fire department smashes in a door because there is no Knox Box the landlord will add the damaged door to the water and smoke damage caused the sprinkler leak or fire to his insurance claim. He may also have to pay a fine and install a Knox Box to restore the occupancy permit for the property.

Reading the comments at the blog suggests the landlords involved simply don't wish to pay to come into compliance with the version of the UFC that the city has chosen to abide by, which may represent shortsighted thinking on their part. If the door gets smashed down for a false alarm the landlord gets to pay to post a guard at the building until the door is replaced or repaired. If there was a leak or a fire it's going to be very hard to get insurance without getting an occupancy permit back. Much cheaper to install the Knox Box now and join the late 20th century like the property managers on the coasts.

Given the possibility that one can obtain a master lock box key, I can think of a few potential hazards that don't even involve breaking into the stores.

For example:
For general meyhem or distractions - making 20 or 30 copies, giving them out to kids as pranks and letting the alarms keep the police running around everywhere.

For theives - Tripping the alarm on the box until the police stop coming - THEN breaking into the store.

For arsonists - setting a building on fire and booby trapping the box to take out one of the fire fighters responding - I figure this only has to happen a couple of times before the fire fighters go back to cutting their way in through the front door with axes.

@x:
breaking into one building may be easier than breaking into a box, but if you want to break into a LOT of buildings and you can reverse engineer the key, it would be a serious advantage getting into one box first.

Apparently the planned response was a complete rekey of the system, though I'm sure it would have taken months for the rekey to occur and for the city to give up looking for the missing key.

I think this system is not the security fail that people are claiming it is, however. If the building security is easier to defeat than the Knox box, they will go that route. If the building security is tougher than the Knox box, the criminal probably doesn't know what's inside the building or won't risk getting caught by the alarm, so they will bribe or extort an employee, or move to a softer target. The criminal 'mastermind' is thankfully pretty rare.

I would like to remind that locks are just keeping honest people falling in temptation.

Given enough time persons with criminal mind finds his/her way around the locks if the incentive is there. You can't prevent them with just locks. You need to make them not want to break in and the problem is solved.

This is pretty common in Los Angeles for multi-tenant buildings, especially those with security doors and other controlled entry. The fire dept has a box (I forget what they are called) mounted high on a wall with some weird key supposedly only the fire dept has. Inside the box are the keys needed to open gates or whatever to get inside.

I'm actually on both sides of this; I'm a building engineer at a multi-building data center and a volunteer fire fighter. In each building, we've got a Knox Box mounted next to the front door, with a building map, a pair of grand-master keys, and a pair of all-doors RFID badges. The latter are required by the county, the map is there because my buildings are pretty complex. Speaking as a building engineer, 100% of the times we've had apparatus roll to the building it's been a false alarm, and our outer doors and some of the interior doors are sufficiently hardened that it'd be hard as hell, even with a commercial irons pack, for a crew to force entry without a frigging Hurst tool.

Putting on my fireman's hat, every front-line suppression apparatus (engine or truck) officer carries a key for the Knox with him or her while on duty. It gets turned over at the end of his shift to the next officer for the apparatus. The general idea is that we don't want to cause unnecessary destruction and harm -- our company in particular prides itself on minimizing the amount of destruction we inflict in the process of fighting fire -- and we also don't want to allow something to burn if it's possible to avoid when it might touch off a nearby building simply by radiated heat.

In short, MCB has it right: this is a problem in theory, but not in practice.

I concur with Jamie above - in practice this isn't a big deal. For once I feel that most of the comments are uninformed alarmism (pun intended).

I am also a volunteer firefighter in the Wash DC area.

At the beginning of each shift - the engine/truck officer checks to make sure all our knoxbox keys are available. This ensures a decent chain of custody. Yes, it is possible that the officer will make copies, but s/he would need the cooperation of the other 2-3 firefighters on the rig.

The other thing no one is talking about is fire alarms. These happen regularly in most commercial structures at some time.

If we (the fire department) have key access, we can quickly and without any damage assess any threats / hazards. Without keys, we either have to wait for a keyholder (and thereby place first responder units out of service for a few hours - which increases life and safety hazards), or we break something going in. Even with well trained FFs and gentle forceable entry techniques, this can still cause a few thousand dollars in damage.

IMHO as a firefighter of 15 years in a major metropolitan area, *not* using knoxboxes increases the actual risks to life safety and property. Not the other way around.

@S - If you put the wrong key in there and the fire department comes out for a fire alarm... a) your insurance company will not cover the damage the firefighters do forcing their way into the structure, and b) the fire marshalls office will give you a big fine.

@ Peter A. Steel shutters do more than let the fire burn longer. They also create life safety hazards for firefighters - you can't ventilate effectively to remove smoke and heat, and it completely screws the firefighters who need emergency egress. With over 100+ firefighter fatalities in the US per year, this is a significant risk.

Bottom line, knoxbox style devices have been used all over the world for years. if all the bad things occurred that the other posters are postulating, another solution would have been sought. Again, it's _mostly_ an academic threat.

As a firefighter, I prefer the the risk go to insured goods rather than me or my crew.

In a fire, delays cost lives, both of firefighters and trapped victims.

If this speeds entry by firefighters it may well save lives.

Also, fires need oxygen. If you smash a door or window you create a way for air to enter the building, possibly creating a draft and fanning flames. If you've opened the door with a key you can usually close it again, if you've smashed a door down this becomes much harder.

Excellent analysis. The centralization, ease of undetected compromise, and lack of a good recovery option collectively make this a very, very bad idea. Of course, I wonder if the law's wording lets us dodge the vulnerability by using two sets of doors and only putting the key to the first in the Knox Box. The second door might even use a better form of physical security & access control. What you think?

Every security control has its pros and cons. The Knox Box isn't any different. If properly implemented in places where a risk analysis has shown it to be a appropriate and with rigorous protocol in place to prevent the keys from falling into the wrong hands, I see no reason to throw it out of the window alltogether. Of course there will always be risks, especially when folks start being sloppy about procedures or have cheap knox-offs (pun intended) installed by dodgy contractors on grounds of "budget cuts".

What I however find most disturbing about the story is that it is being made mandatory by legislators who probably don't know the first thing about security, and regardless of any business case risk assessment whether or not it is actually useful in a particular environment.

Pretty much agree with most of you,I don't really see any negative things to the drop boxes, store the key in a cardboard box wouldn't drop security.
Lives or a building that can be rebuilt, or property replace if stolen(GPS) have access to a master key.

Or it's just that the weakness is obscure enough that sophisticated criminals don't know about it. I'll be honest: even I didn't know about these things. They aren't used in areas I've lived and worked. I also know plenty of firefighters who should never be allowed near a key to every property in the area.

Bottom line is that most attackers will be unsophisticated attackers going after low to medium value physical property, like burglar. Espionage, on the other hand, targets medium to high value assets with sophistication and cunning. Most spies mainly uses these approaches: social engineering, hacking, bugs, dumpster diving and tailgating. They are the one's that concern me, as they have the intelligence & motive. These people might bribe, steal, etc. to make a copy of that master key.

They'd then have an easy way into buildings, possibly late at night, to steal information they can use against the company or sell to competitors. Off the top of my head, I already have a way to deal with the alarm issue so that they are rarely investigated or suspicion is reduced enough for many breakins to occur.

The breakins would create opportunities in the areas of asset ransom, trade secrets for sale, stock shorting, insider trading, physical subversion of computers, physical theft of pricey assets, and theft of employee & customer records for various nefarious uses. A dream come true for a smart and adventurous black hat.

Far from hypothetical or academic, this escrow scheme provides an easy opportunity for corporate spies or saboteurs to bypass all static, physical defenses in an organization. One key to enter them all is much better for the attacker than beating each location's individual security configuration. Honestly, I don't see why they haven't done it already. I'm guessing that the other methods still work so well with such little risk that they haven't felt the need to try this. Or they're just not that creative these days...

All of your recent posts look like they'd fit in a ruler if I placed it horizontally across the screen. Although I do like brevity, that's not you're style so I'm a tad concerned. You sick again or something?

@Nick P, "The breakins would create opportunities in the areas of asset ransom, trade secrets for sale, stock shorting, insider trading, physical subversion of computers, physical theft of pricey assets, and theft of employee & customer records for various nefarious uses. A dream come true for a smart and adventurous black hat. "
True, but the entrance to a building should be the lock on a safe.
Implement security measures on the above stuff , with design that take those areas.
Locking down each thing that would be worth stealing, and separated over physical distance can be tracked and alarmed, I suppose a lock front door might stop a theft exiting quickly(with most over positive being defeat probable) but if that's the only uses, a fire system that spread non-flammable oil on the ground would work better

Agreed. I'm talking about how many companies do things, though. Bypassing those office door & desk locks will be very easy for a professional. Bypassing all of the access control would be hard. Many companies only implement the basics when it comes to physical access. Many others throw up high-tech static obstacles thinking they can reduce monitoring or personnel costs due to their extra "security". What would the effects of full access control compromise on *those* companies?

Another angle: many spies & thieves use uniforms that make monitors not pay much attention to them. Examples include grounds maintenance, utility company, auditing firm, and IT repair guy. They often have clipboards, tool bags, badges, whatever. So, total access control compromise and the guy snooping around looks like he probably belongs. It's not a good combination for the majority of small to medium-sized businesses.

@Nick P, I was more thinking about about the up melting point limit of substance :).
Cameras would probable be possible to edit the pictures in real-time removing a person, unless encryption was used(but might get cracked)... and other technology means leads down that path.
Having the security guard walk around the building all-thought cover less area, and have no tracking device on them, the thefts would have to hack physic which should be alot harder than computers, and delete or editing someone mind is less reliable than digital means(say a lighting stick remove you from the countrys database theory,unrealbe(don't trust machines))

I'm a 30 year member of the fire service (26 as a career firefighter and officer). My town has about 150 Knox boxes, the program started in 1992.

While we have never had a lost or stolen key, some of the posts have brought up a few security issues we never considered, and I will discuss them with the other officers. It's not about government grabbing power-those who think that can remove there tin foil caps. We are looking to reduce unnecessary damage to buildings.

If there is visible smoke or fire, all bets are off, we may take out the door or use the key. By the time a fire fighter gets the key in the box, the forcible entry team is ready. We would really rather use the key then break the door. If the key doesn't work, the entry team is ready.

If it is a secure facility where our tools will not work (BTW, axes are old school), yes then we will use the box. If the box has keys for multiple interior doors, especial those with electronic locks, we will use the Knox Box. All depends on the situation and building. Interestingly, most banks have regular commercial metal frame glass doors, about 2 seconds to breach. Now the safe on the other hand, well, lets just hope there is never a fire inside one.

A vast majority of calls I've been on with a Knox Box is an activated smoke detector which turns out to be a false alarm. We enter the building with the key, check for fire, make one attempt to reset the alarm. If the alarm resets, the owner or responsible party is notified (they are usually called by the alarm company when we are called). The fire marshal does a follow up the next day to verify the alarm is back in service (in buildings where the alarm is required by fire code).

It's often a tough call to decide to break open a door at 2AM at a multi-thousand square foot building with no smoke visible (yet?), no lock box, and the dispatcher reports the key holder is 45 minutes away. While the chance of a fire in a particular building may be a million, I respond to a hundred or so fires a year, so my perspective is a little different.

@KenH, "It's not about government grabbing power-those who think that can remove there tin foil caps"
Just say a security guard would be more effective security wise than a wall(remote entry kits and all)

Why not have safe in the firestation with keys/access cards for the buildings? When there is a fire call the station with the key gets told where to locate keys within the safe and takes them with them. Safes can have access control and can be regularly audited for opening and toverify keys are secure in safe. Combined with quality security system a fire stations this is a solution in use at atleast one major city fire brigade.

Bottom line: This is a security system which is designed to make a convenience for authorized personnel, while still keeping out the "riff-raff".

As such, it seems to work reasonably well - like most security systems - at keeping out the "riff-raff."

BUT at the same time, it IS susceptible to compromise and potentially a resultant large-scale mayhem.

Most security systems fit that definition. It's precisely what I keep saying: You can haz worse security (no Knox Box), you can haz better security (a Knox Box), but you can't haz "security" (a Knox Box AND the alarm systems connected to it CAN be compromised) (Also, why assume anyone's alarm system cannot be compromised as well as a prelude to compromising the Box?)

The comments here show how people are totally inured to the invalid notion that either a security system is invulnerable or its totally vulnerable. It's not an either-or situation. It's both. ALL security systems without regard are both "useful" (to some degree, however small and unprofitable a la the TSA) AND ultimately vulnerable to a competent, motivated, well-resourced attacker (and sometimes to "riff-raff" who get lucky!)

D: I agree with you that having the local fire station hold the keys to businesses makes more sense. I suppose the problem then, however, is whether businesses would remember to update the keys when locks are changed, and also the probability that the fire department wants to push the key accountability and management off on someone else.

Also, I suspect that the city council members have a stake in the company making the lockboxes. Or said company bribed them.

KenH: Yes, I've seen some of the tools fire fighters use these days to get into buildings in catalogs of companies making and selling them. Straight-up "door rippers"! Cops use 'em for entry, too. So do burglars...if they're smart... :-) Get through a steel door in thirty seconds. Less noise than blowing the door, too.

@RSH, do you think the security of knox boxes is good?
Safe stop people getting in and out, plus its a chock point, not saying the keys and technology is bad but if you can't have a high reliable with this system(lot of tools floating around to break it, low level), what weight do you measure, money.. its going down the drain anyway

Andy: The point is the term "good" is relative to the point of almost being meaningless. "Good" against what? Against "riff-raff?" Against competent attackers? And compared to what cost - and potential cost - and inconvenience for others besides the firemen? And what others - Ma and Pa convenience stores vs a jewelry exchange?

Interesting that this can cause such a hoopla in a country where locks are mostly childrens' toys by out standards. The Finnish system was already noted above, but one thing that should be remembered is that the keys to the lock-boxes are locked in a lock-box in our units to prevent stealing from the vehicle. Or then they are passed from person to person as shifts change.

Also, the lock boxes around us use Abloy locks that are protected by patents and only authorized locksmiths can make copies of the keys.

Sure, a fire fighter could use the key unauthorized, but the same FF could also just use his turnout gear and break down a door and in most cases no one would come and wonder what is going on. The social aspect of trusting someone wearing FF gear is so large.

And honestly, while the lockboxes do make entry into buildings much easier and faster it is the factor of limiting damages that is the primary motivation for them. I'm fairly certain no FD in the world is willing to wait for one or more hours for someone to come and start guarding a door that they broke down while checking a false alarm during the night.

And as a unit commander I know that my barrier of entry is much lower if we have a lock box instead of the case when we have to contemplate if breaking a lock or door is worth the damages.

Knox boxes on vehicle gates and their close cousin the fire padlock are faster, cheaper and safer than ripping down gates and cutting heavy chain.

Another Knox box feature -- they are normally mounted high enough up that a ladder is required to access one. Firefighters are very comfortable climbing a ladder and opening a key box with one hand. Others, not as much.

The key here is the time factor. When the fire department needs to get in quick because there is a fire, they are already running behind in a situation where everyone needs to get out alive in less than four minutes. Alarm activation / 911 call / gear up, drive to scene. Not much time left to put on SCBA, make entry and search for victims.

One can also think of forcible entry tools as universal keys with a single use audit trail that require lock replacement.

I note as an exercise for the reader that large industrial plants, military bases, film studios and the CIA maintain their own in-house fire departments. Clearly they've run the security, special circumstances and/or response time trade offs the other way.

@RSH, "Andy: The point is the term "good" is relative to the point of almost being meaningless. "Good" against what? Against "riff-raff?" Against competent attackers? And compared to what cost - and potential cost - and inconvenience for others besides the firemen? And what others - Ma and Pa convenience stores vs a jewelry exchange?

The term "good" is meaningless except for specific circumstances."

Good as in no one dies and what you give out expect back, ie no damage or future problem in any paths

"Although I do like brevity, that's not you're style so I'm a tad concerned. You sick again or something?"

It's funny that you should ask, as I keeled over in the local municiple offices and when I came too I had a hard time persuading them not to call an ambulance to cart me off to hospital (the local hospital is tired of having me stay a few days and then within the week being brouught in again.

As they cann't work out what the problem is I tend to not want to be in the hospital either, not just because I don't want to be there, it's also full of sick people and you realy don't know what you might catch...

To all the people who keep saying how the system has been in use for years without a problem, please keep in mind that airplanes had been in use for years before someone figured out you could hijack them and then it became a problem. Same with things like DES or MD5 or buffer overflow vulnerabilities...they were just fine until they weren't. Times change and having this thing out there is a big roll of the dice that tomorrow someone won't figure out the $50 hack and then it's in every burglar's toolkit.

@Andrew the boxes are NEVER mounted where you need a ladder to get to them and the use of the box would not often be in a life critical situation because if someone were in the building they could probably let the fire department in. The whole point of the box is that commercial establishments are left unattended after hours.

Oh here's a scary thought. Yesterday I walked past a building I know has a SCIF in it and bam, Knox Box right on the front. I have seen the enemy and it is us.

D-good idea, but what if the crew is returning from another call or out training? Keys left in the fire station won't do much good.

I'd like to emphasize the point several have already made-Knox boxes are generally intended to be used for fire alarms with no fire/smoke evident, or EMS crews to access a building. The knox boxes in most buildings are inset in the wall at a height of just over five feet-requires a slight stretch from vertically challenged individuals and limits the ability of a thief to easily use forcible entry tools or picks. Duplication of knox box keys is not easy, but is possible for a determined individual with the right tools. But then again they could also impression the regular door lock. The perceived risk is high, but in practice it is minimal.

Mike B-fortunately physical access is only part of the security equation. In the metro DC area there are SCIFs in commercial buildings all over the place. If there is not a 24/7 guard the mandated 15 minute response and required interior security features are certain to slow down a thief.

"Oh here's a scary thought. Yesterday I walked past a building I know has a SCIF in it and bam, Knox Box right on the front. I have seen the enemy and it is us."

That shouldn't be a problem. I heavily doubt, due to DOD directives, that whatever keys are in the Knox Box can bypass SCIF. The SCIF's have numerous security measures & are usually monitored. I'd speculate that many would have both the obvious security measures and some hidden, additional ones just in case. Knox Box isn't a risk to an SCIF if they're following DOD guidelines.

@ Clive Robinson

"As they cann't work out what the problem is I tend to not want to be in the hospital either, not just because I don't want to be there, it's also full of sick people and you realy don't know what you might catch..."

Here's the thing folks. The practice of putting keys in knoxbox type devices is well established and used in most of the western world (see above comments).

The reality is that, while yes, there is a risk inherent to the use of these devices - the reality is that they haven't been abused enough that this is an actual issue.

As an information security guy by day and a firefighter by night - I get the trade offs, but still believe that the knoxboxes overall decrease risk. This risk is that of expensive damage and life safety.

Next time you're out and about - look at commercial buildings - where you work, shop, kids go to school etc... most of them have knoxboxes. Given the fear mongering nature of US media, don't you think you would have heard all about this before now if it was an issue?

T: "requires a slight stretch from vertically challenged individuals and limits the ability of a thief to easily use forcible entry tools or picks"

Seriously? There are no six foot thieves? No step stools? We're not talking about someone wandering down the street and suddenly deciding to pick one of these. We're talking, as usual, about committed, motivated, competent attackers who have researched the issue and have acquired the necessary tools. Ripping one of these things out of a wall (if necessary) is not going to be that hard for someone like that. It's entirely a matter of planning and execution with appropriate knowledge and tools.

People are simply lucky that there aren't that many thieves with that level of competence or that many targets using these things that are worth the effort.

Once again, the fact of the matter is that the system is fine for keeping out "riffraff", and serves its intended purpose fine - but it is STILL VULNERABLE. The only question is whether the TARGET is worth the effort to the ATTACKER. In most cases it won't be (especially homes and apartment buildings and small businesses without much cash on hand.) But if a jewelry exchange with millions on hand is using this system, it's a vulnerability.

"People are simply lucky that there aren't that many thieves with that level of competence or that many targets using these things that are worth the effort."

I'm thinking the main reason behind this is that most very competent attackers are going for armored cars, sophisticated bank robberies or just doing those easy ACH frauds & other online attacks. For the online stuff, a pro can make millions in a year with little upfront investment and low risk. For offline, there are many risks, but they're quite manageable & the payoff is worth it. So, I guess the predictable payoffs, manageable risks, and the obscurity of the knox box issue has kept the pro's doing other things.

Of course, anyone thinking there isn't a Knox Box issue is missing something even scarier: a subversion of those in charge of the keys mean that the attacker might get in and out without anyone ever realizing there is an attack. This kind of thing is why subversion is the most devastating form of attack. Professional spies specialize in subverting personnel. It might be speculation, but it's hard for me to think that one of these things haven't been stealthily compromised already. It's only a matter of time.

Nick P: Yup, no doubt that's true. That's why I mention the jewelry exchange. No one would bother ripping one of these off to hit an apartment house - unless it's a Trump building...

Matthias: It may be the least of their worries, but it's one more they need to manage. The point is if it's worth the effort, they will manage it.

My suspicion is that if one went looking through the public record, I'll bet at least one robbery has been pulled off with the keys from one of those boxes somewhere sometime. Everyone is assuming it's never been done without any evidence that's true.

Hmm, I think the analogy to cryptographic key security is misplaced. Indeed, exterior doors are not about making it infeasable to break inside but making it difficult/annoying/noticeable enough that thieves don't bother. Scheduled drugs, cash and other high value portable goods are usually locked in safes or other stronger security devices.

I mean ultimately most businesses have glass windows (especially in low crime Iowa) and no ordinary commercial building can last 5 minutes against someone with a oxyacetaline torch or one of those thermal lance things. So the level of security is more analagous to a login screen on your unencrypted laptop than a cryptographic key. Ultimatey keys in outdoor boxes only compromise security if they are easier and less noticeable to retrieve than the easiest/subtlest way into the building and simply placing the boxes out front in high visibility areas suffices to achieve that goal. And there is no reason to have the key turn off your alarm system.

Also the threat model is totally different. The requirement that thieves physically show up at buildings both makes theft higher risk than network probes/monitoring and limits the total harm any given thief can do. A thief can only rob so many places in a given night so the lock boxes only reduce security if they make theft easier than it already is at the highest value least secured businesses (if not the thief can spend his time more productively at those locations). That lowers the bar substantially further.

---

Ohh and I suspect the city would only be liable for a resulting theft if they were shown to have acted negligently in the care of the boxes/keys. The situation is really no different than that other fire safety requirement that is of much greater use to burglars: the fire escape.

Ohh and any worries about subversive entry are really unfounded. This isn't a concern for the average buisness and lockpicking/open skylights/unlocked windows provide plenty of opportunity for subversive entry at normal commercial establishments.

Anyone who really cares can have loud alarms blare when the key is used or if they don't have the money tape a tamper evident seal over the door(s) openable via the lock box or use video cameras.

Replace the Knox box locks* by a lock operated by a cell phone running crypto software, such that the fire department control room can open it remotely, and you largely fix the 'lost master key' problem.
If the control system crypto database is compromised, it is cheaper to load new keys into the phones than to rekey all the boxes.

@MW, "Replace the Knox box locks* by a lock operated by a cell phone running crypto software, such that the fire department control room can open it remotely, and you largely fix the 'lost master key' problem.
If the control system crypto database is compromised, it is cheaper to load new keys into the phones than to rekey all the boxes."

It is quite a bit harder than squirting super glue in the knox box lock which would I guess be the current equivalent.

A funny storry that you might appreciate,

I assume you are familiar with the "Denver Boot" / "Wheel Clamp" used in many places to extract very significant amounts of cash from car drivers by "denying them the rights and privaleges pertaining to ownership" of the vehical, but not resolving the issue of their (supposadly) poor or dangerous parking (actually making it worse which is a sure indicator of a fund raiser)?

Well I've been told anecdotaly they are not used in Paris because of the "French Mentality" of every time they see a wheel clamp they inject super glue into the lock, there by costing the clamping company far far more than any potential profit in clamping the vehical and also vastly increasing the nuisance factor of the vehicles positioning.

I should say that I have no direct knowledge of this but it is a story I've heard from more than a couple of places and even if only partialy true is still quite funny as a cause-effect invocation of the law of "unintended consequences.

On the face of it, it appears the "French Mentality" to this fundraiser imposed by "the powers that be" appears to be "S*d you, you bu88er us, we bu88er you more".

Now as an engineer I can appreciate the "grain of sand dropped in the works to bring down an Empire" it is much much more effective in the long term than any bomb or bullet, it is like the laugh in the crowd that brings down a dictator (Fall of East Germany).

In fact, we've already heard reports that a few anarchist malcontents who oppose the
imposition of the boot are going to begin removing the things at random, leaving ordinary boot victims free to plead honest ignorance
of the entire situation.

According to a story in the July 1984 Washington Weekly, police in the District of Columbia insist that the boots are rarely busted, and can be removed only with the proper keys or with "heavy equipment." But our sources in Washington tell us they have taken off dozens of boots over the years, often by simply letting the air of the booted tire, and they have never faced prosecution.

By the sounds of it, these boxes are in common use throughout the land - for large commercial buildings which typically have bloody great security doors that axes won't easily open. I'd hazard a guess that they are less common on lower rent premises such as convenience stores, except in the future Cedar Falls. I'd further hazard a guess that one or more members of Cedar Falls council knows a company that makes cheaper un-alarmed devices for lower rent premises (let's call them Knox-Offs).

I am a firefighter. The last few years, my response area has begun including Knox boxes, primarily schools, libraries, and other gov't buildings. Prior to that time, I've broken into a lot of buildings in the line of duty; usually it's stuff like a false alarm, fallen elderly person or somebody trapped in an elevator. Between a credit card, pocket knife, Leatherman, axes, pry bars, Halligan, bolt cutters, oxy-acetylene torch, chain saws, K-12 saws and the Jaws of Life, a firefighter can get into pretty much any building, even if they have to go through a wall or the roof. A Knox box case can save a fair bit of damage to the building.

Even less secure are the key boxes used by realtors: press the right 4 out of 10 buttons (in any order) for access to every home/business listed on their website, no access key required. A brute force device would be fairly trivial to build.

Don't know about other parts of the country, but fire isn't the only use for such boxes in manhattan. Knox box or equivalent is how many multi-unit commercial and residential buildings get their mail deliveries. The mail carrier has a key that opens all the boxes on the route, the boxes contain front-door keys on a cable long enough to reach the door.

If the Knox Box is wired to an alarm then why does it even need to be locked? Simply allow it to be opened by anyone but implement a time delay to allow security/police to reach the location.

Upside: eliminates the element of implicit trust.

Downside: the time delay would hinder firefighters too. But if may still be faster than breaking in, and can be optimized by improving security response time, which is desirable anyway.

Downside: The obvious exploit is a "denial of service" where someone manages to open the box and escape with the key in a timely manner. This would force the owner to change the locks each time this happens. But there are plenty of ways this can be prevented and mitigated.

There are more obvious downsides. The most obvious is a "pay 100 street kids to trigger all boxes they can find" attack. The likelihood that your actual target is visited by the police in the timeframe allowed is rather small.
In fact, the likelihood that random prankers will walk the street and push every "unlock the keys to the kingdom" button is rather high. Thus, the probability of somebody actually implementing this (IMHO rather stupid) idea is zero. I hope.

The boxes that are used in Germany have an outer and an inner door. The outer door is electronically unlocked remotely from the fire department when the alarm has been acknowledged. The inner door for the box containing the object's keys is unlocked with the fire departments master key. In addition, breaking into the box or trying to drill through the plate of the outer door triggers an alarm.